Folks, I notice a recent thread that talks about the fefault active-response blackout being ten minutes. I jacked this up to a day (86400) in my case, just to cut down the volume of brute-force ssh attacks.
It would ne really nifty if active response could have a kind of 'recursive backoff' mechanism like that DHCP uses to poll for a server, but conceptually reversed: The first time an IP hits an ossec rule, it gets blocked for five minutes then goes into a database with a value of '1' associated with it when ossec unblocks it. The second time, it gets (e.g) half an hour and after the half-hour, that database value gets incremented. ...and so on through four hours, a day, a week, a month, and maybe even a year. Then every 24 hours after the block is removed, if we haven't blocked that host for at least 24 hours, we decrement the 'badness' counter. Obviously these numbers are just examples, and it might be worth having a random factor in there to make this less predictable for attack purposes, but you get the idea: persistently bad IPs can potentially stay bad for as long as that owner has them. If an IP is launching an attack with intent to DOS you or break in, it would be nice to just never hear from them again, or at least block them until they lose interest. I'm sure there was some solid reasoning behind the default fixed value for active-response.timeout. I'd love to hear it if anyone knows what it was. -- Thorne Lawler Technical Consultant ICT Outsourcing Services | Infrastructure Services | Unix Storage and Delivery KAZ Group Pty Ltd 360 Elizabeth Street | Melbourne Victoria 3000 (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 [EMAIL PROTECTED] | www.kaz-group.com -------------------------------------------------------------------------------- This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
